Apache parses configuration directives in the order it sees them and applies them to the specified location and everything underneath it, so the require valid-user from your <Location /> block overrides the Allow from all from your <Location /login.html> block — you end up requiring authentication to access anything (including...